'Operation Parliament' Imitates Another Actor to Stay Undetected

A series of geopolitically motivated attacks ongoing since early 2017 and targeting high profile organizations worldwide appear to be a symptom of escalating tensions in the Middle East region, Kaspersky Labs reveals.

Utilizing unknown malware, the actor remained under the radar by imitating another attack group in the region, which also made attribution difficult, especially given recent examples of false flags being planted to send investigators down the wrong tracks.

While the initial attacks look as the work of the unsophisticated Gaza Cybergang (decoys, file names), deeper analysis revealed a different picture, Kaspersky says.

The attacks, which Kaspersky refers to as Operation Parliament, were clearly centered on espionage, hitting top legislative, executive and judicial bodies. Since early 2017, the attackers targeted numerous organizations worldwide, but focused mainly on the Middle East and North Africa (MENA) region, especially Palestine.

Supposedly connected to incidents Cisco Talos detailed earlier this year, the assaults targeted high-profile entities such as parliaments, senates, top state offices and officials, political science scholars, military and intelligence agencies, ministries, media outlets, research centers, election commissions, Olympic organizations, large trading companies, and other unknown entities.

Kaspersky believes the attacks are the work of “a previously unknown geopolitically motivated threat actor” doing “just enough to achieve their goals.” The attackers supposedly have access to additional tools when needed and also use “an elaborate database of contacts in sensitive organizations and personnel worldwide, especially of vulnerable and non-trained staff.”

Compromised systems range from “personal desktop or laptop systems to large servers with domain controller roles or similar.” They belong to ministries responsible for telecommunications, health, energy, justice, finance, and other areas.

The attackers have carefully verified victim devices before infecting them and also safeguarded their command and control (C&C) servers. The attacks slowed down since the beginning of this year, likely “winding down when the desired data or access was obtained,” Kaspersky notes.

“The targeting of specific victims is unlike previously seen behavior in regional campaigns by Gaza Cybergang or Desert Falcons and points to an elaborate information-gathering exercise that was carried out before the attacks (physical and/or digital),” the researchers point out.

Packed with VMProtect, the employed malware didn’t reveal similarities with previously known malicious programs. Encryption and obfuscation were applied to all strings and settings, while communication with the C&C server was achieved via HTTP.

Data sent to the C&C is encrypted and the malware uses different keys for local and network encryption. The malware initiates communications by sending basic information about the infected machine and the server responds with the encrypted serialized configuration.

The malware provides a remote CMD/PowerShell terminal for the attackers, which allows them to execute scripts and commands on the compromised machines, and to receive the results via HTTP requests.

Kaspersky would not provide full details on the attacks and the used malware, but points out that high-profile organizations should have advanced protections in place, given that attacks against them “are inevitable and are unlikely to ever cease.”

“These organizations need to pay particular attention to their security, implementing additional measures to ensure they are well protected. Anti-targeted attack solutions, threat intelligence capabilities and data flows, default-deny application lockdown, endpoint detection and response, data leak and insider threat prevention, and even isolated/air-gapped networks should form the basis of any strategy for protecting organizations in the current threat landscape,” Kaspersky concludes.